-----Original Message-----
From: Louis Touton [mailto:touton@icann.org]
Sent: Friday, April 11, 2003 3:00 PM
To: council@dnso.org
Subject: [council] Concerns Regarding Report of Deletes Task Force
To the GNSO Council:
The agenda for the Council's next meeting (17 April 2003) includes the following item:
"6. Vote to approve the Deletes Task Force recommendations and
report for submission to the ICANN Board."
Because the Deletes Task Force commenced work before the GNSO PDP came into effect on 15 December 2002, a Staff Manager has not been assigned and the Task Force has not otherwise had significant staff involvement/support to date. As part of the overall process of transitioning to the PDP, Dan Halloran and I have just reviewed the Deletes Task Force's Final Report, as posted at <http://www.dnso.org/dnso/notes/20030323.DeletesTF-final-report.html>.
Based on that review, we have concerns regarding some aspects of the report. The purpose of this message is to alert the GNSO Council to the staff's concerns with the recommendations as currently framed.
Concern A: The Proposed Mandatory Deletion Policy Does Not Allow for Extenuating Circumstances
In its current form, the report makes two recommendations that require registrars to delete domain-name registrations within 45 days after they expire. These recommendations appear to apply absolutely, not allowing exceptions for various extenuating circumstances under which deleting registrations by that deadline could harm innocent registrants or result in loss of DNS nameservice for other domains.
The recommendations are 3.1.1 and 3.1.2:
"3.1.1 Domain names must be deleted if a paid renewal has not been
received by the registrar from the registrant or someone acting on
the registrant's behalf by the end of the Auto-renew Grace Period
(generally forty-five days after the domain's initial expiration).
As a mechanism for enforcing this requirement, registries may elect
to delete names for which an explicit renew command has not been
received prior to the expiration of the grace period."
"3.1.2 Domain names must be deleted within 45 days of the expiration
of the registration agreement between the registrar and registrant,
unless the agreement is renewed."
It appears that a registrar has no ability to delay deletions past 45 days in extenuating circumstances. Here are a few hypothetical situations intended to highlight the serious problems such an unqualified rule could cause:
Hypothetical #1: Shortly before the 45-day deadline, the registrar discovers that its contact data for the registrant has been altered due to hacking or some other incident in the registrar's systems. The registrar concludes that, as a result of the alteration, a renewal notice was never sent to the proper address for the registrant, so that the registrant has never paid a renewal fee and has never entered into a renewed registration agreement. Nonetheless, the registrar is required by 3.1.1 and 3.1.2 to delete the registration, resulting in DNS service to the registrant being shut off. The service can only be restored, after some delay, through restoration under the redemption grace period.
Hypothetical #2: The registrant's main office is located in a building that has suffered a disaster due to flood/fire/earthquake/war/terrorism/etc. The renewal notice was sent to that address, but it appears doubtful that the registrant would have been able to complete the renewal process by the deadline. Nonetheless, the registrar is required by 3.1.1 and 3.1.2 to delete the registration, resulting in DNS service being shut off.
Hypothetical #3: A registration is the subject of court proceedings over who is the proper domain-name holder. The court issues an order requiring that the registrar "freeze" the domain registration, to prevent any changes. The registrant does not pay the renewal fee, putting the registrar in the position of either violating the court order or breaching 3.1.1 and 3.1.2 (and therefore its accreditation agreement with ICANN).
Hypothetical #4: A registrar has submitted a "registrar certificate" to a court concerning a domain name that is currently involved in court proceedings. In the registrar certificate, the registrar has submitted the registration to the court's jurisdiction and has promised not to modify, transfer, or delete the registration during the court proceedings. No renewal takes place within 45 days after expiration, so that 3.1.1 and 3.1.2 require the registrar to act contrary to the registrar certificate.
Hypothetical #5: A domain name registered through a registrar is used to support the host names of nameservers that provide secondary nameservice for 20,000 domains held by other customers, which are registered through many different registrars. The registration is not renewed. As a result, nameservice for the 20,000 other domains must be migrated to other hosts. This is not accomplished in 45 days, and as a result 20,000 domains disappear from the Internet.
Hypothetical #6: Shortly after the expiration date of a registration, the registrar is informed that the registrant has filed for bankruptcy. The registrar's legal advisors have cautioned the registrar to refrain from terminating services to the bankrupt registrant without court permission. Recommendations 3.1.1 and 3.1.2, however, require the registrar to delete the registration.
Hypothetical #7: During the 45-day period after expiration, the registrant asserts that it has made a renewal payment to the registrar, but the registrar has been unable to complete its investigation into the payment dispute before the 45-day deadline. The registrar is uncertain whether it must delete the registration in order to comply with 3.1.1 and 3.1.2.
Hypothetical #8: The registrar has a long-standing relationship with a registrant; the registrar knows that one of the registrant's domain registrations that has expired is for an important and heavily used name, and suspects that the registrants' failure to renew was caused by an oversight. The registrar is unable to resolve the issue with the registrant within the 45-day period. As a result, recommendations 3.1.1 and 3.1.2 require the registrar to delete the registration, shutting off nameservice for the domain.
Based on a plain reading of the recommendations of 3.1.1 and 3.1.2, in many if not all of these hypothetical cases the registrar would apparently be required to delete names, even though contrary to technical prudence or even other legal requirements. While it may make sense to prescribe a uniform time frame for registrar deletion of expired names, the hypothetical situations described above point to the difficulty of making hard and fast rules without allowing for exceptions in extenuating circumstances.
Concern B: The Recommendations Concerning Mandatory Disclosures Inappropriately Restrict Certain Registrar Business Models
Recommendations 3.1.4 and 3.1.6 seem to prevent registrars from adapting and evolving their service offerings over time since they mandate that policies and prices be provided "at the time of registration", even though the policies and prices may not come into effect until after the registration expires (and after the registrant has the opportunity to transfer to another registrar). These provisions state:
"3.1.4 Registrars must provide a summary of their deletion policy,
as well as an indication of any auto-renewal policy that they may
have, at the time of registration. This policy should include the
expected time at which a non-renewed domain name would be deleted
relative to the domain's expiration date, or a date range not to
exceed ten days in length."
"3.1.6 Registrars should provide, both at the time of registration
and in a conspicuous place on their website, the fee charged for the
recovery of a domain name during the Redemption Grace Period."
It is not clear whether registrars would be able to modify their procedures or prices at any time after initial registration of a domain name.
Also, recommendations 3.1.5 and 3.1.6 seem to obligate all registrars to operate websites. In some business models currently available to registrars, including reseller models and models used in some regions of the world, registrars do not operate principally through websites, but use other means to communicate with prospective and actual customers. There is no current requirement that registrars operate websites, other than for a web-based Whois service. These recommendations appear unnecessarily to restrict these alternative registrar business models.
Concern C: Mandatory "Payment" Policies Could Stifle Registrar Business Models
Recommendation 3.1.1 (and possibly recommendation 3.1.6) appears to require that registrars charge all customers for registration and RGP services. Some registrars operate business models under which some or all registrants are not charged specifically for registration services. In accord with ICANN's mission, Registrar Accreditation Agreement §3.7.10 specifically precludes any policy that regulates registrar
prices: "Nothing in this Agreement prescribes or limits the amount Registrar may charge Registered Name Holders for registration of Registered Names." By requiring that renewals be paid, recommendation 3.1.1 contradicts this principle. Implementation of a requirement that a fee be charged for renewals would also raise serious concerns under relevant antitrust and competition laws.
Concern D: Overlap with Whois Recommendations
On 27 March 2003, the ICANN Board adopted four consensus-policy recommendations relating to Whois accuracy and bulk access. One of those recommendations states:
"B. When registrations are deleted on the basis of submission of
false contact data or non-response to registrar inquiries, the
redemption grace period -- once implemented -- should be applied.
However, the redeemed domain name should be placed in registrar hold
status until the registrant has provided updated WHOIS information
to the registrar-of-record."
This recommendation is currently early in the implementation process.
The Final Report of the Deletes Task Force contains this recommendation on the same topic, but proposing a somewhat different policy:
"3.3.1 The Redemption Grace Period will apply to names deleted due
to a complaint on WHOIS accuracy. However, prior to allowing the
redemption in such a case, the registrar must update the
registration with verified WHOIS data and provide a statement
indicating that the data has been verified in conjunction with the
request for the name's redemption. The same rules that apply to
verification of WHOIS data for regular domain names following a
complaint will apply to deleted names."
By proposing overlapping policies so soon after one another, the GNSO would significantly complicate the task of implementing the policies.
Thank you for your attention. Please feel free to contact me if you have any questions.
Best regards,
Louis Touton
General Counsel